Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


What is the best way to connect our Windows 2008 SBS with another Windows 2008 Enterprise Server at a Branch Office?

Posted on 2011-09-29
Medium Priority
Last Modified: 2012-05-12
Good evening.

We have our main server which is a Windows 2008 SBS and is our Domain Controller. We'd like to connect our Branch Office which has a Windows 2008 Enterprise server as a read-only active directory setup.

Is this possible with out current server OS setup? We are using LogMeIn Hamachi as a VPN solution. Any advice will be greatly appreciated!

Question by:Poly11
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 77

Expert Comment

by:Rob Williams
ID: 36818452
Hamachi can be used but it is not the most stable VPN solution and uses dynamic IP addressing for the tunnel creation. I would recomend using two VPN routers which start at about $150 for a unit like a Netgear FVS318 or Linksys/Cisco RV042.

You mention the remote server is a read only DC? Is it a member of the SBS domain? If so you are already connected. If a member of another domain you cannot create a trust with the SBS. Perhaps if you could provide more details.

Author Comment

ID: 36891615
Hi RobWill.

Thanks for the quick response. The remote server is a member of the SBS domain, at least it was before it was relocated to the branch office. I have opened the LDAP port on the firewall to allow the incoming and outgoing traffic, but I am still receiving NETLOGON errors in the event log of the remote server. The following is the error:

This computer was not able to set up a secure session with a domain controller in domain DOMAIN due to the following:
There are currently no logon servers available to service the logon request.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.  

I can't open the Active Director Users and Groups because it says the server is not operational. I have also opened the LDAP port n the firewall for the branch office. Are there other ports that should be opened?

I will try and convince the powers that be that a VPN hardware solution is recommended, however they love Hamachi because of it's ease of use and central management capability. We have the paid version of LogMeIn Central which gives us use of Hamachi. I haven't noticed any IP addresses change over the past year.

Could you please let me know if it's possible to get both domain controllers remotely connected with what we have? Thanks again.
LVL 77

Accepted Solution

Rob Williams earned 2000 total points
ID: 36892325
-A VPN should allow all traffic, so that shouldn't be an issue.
-The remote site must use a different subnet, does it?
-Because it is a different subnet some windows services may not work. The default configuration in the Windows firewall for some services is to only allow access from the local subnet. To test this I would disable the Windows firewalls. If that resolves the problem we can proceed from there.
-I suspect though the issue is the routing. The remote server must see the SBS as its ONLY DNS server. Can the remote server ping the SBS? If not you may need to add static routes. If so this is why you need a pair of VPN routers. The static route would point to the Hamachi IP as the gateway. Hamachi assigns dynamic IP's so this is always changing, though you say you haven't seen any changes.
-Once the remote server can access the SBS you need to add the remote site and subnet in Active Directory sites and services, but I think the routing is the primary concern.

Let me know if the firwwall makes a difference and if you can ping the SBS. If not I can supply routes to add.
Again the remote server can point only to the SBS, do not add local or ISP's DNS servers to the NIC configuration, they can be added as forwarders.

Expert Comment

ID: 36906538
I have found Hamachi doesn't consistently work for network to network traffic.  The best way I have seen is firewall to firewall, (point to point) setups.  Then the two can act as the router and gateways to route traffic through the right subnets.  Most of them also won't allow you to use overlapping which will help you keep things as standard as possible.  For ease, I have seen two untangle firewalls work well (one is set as server, you then make a file to bring to the other one to make it a client, the app does all teh configuring for you).  I myself like the Sonicwalls and found they work really well also.

In regards to the routing, I also agree.  Often what you will see is something like unqualified lookups don't work.  for example, pinging server1, does not work, but server1.domain.local will, or by IP will.

Author Closing Comment

ID: 36954643
Since the recommended changes, Hamachi has been working like a charm. Thanks again, Rob Will!

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question